fix: remove previous roles and users

pkg/cloud/services/iamauth/configmap.go

@@ -88,6 +88,44 @@ func (b *configMapBackend) MapUser(mapping ekscontrolplanev1.UserMapping) error
 	return b.saveAuthConfig(authConfig)
 }
 
+func (b *configMapBackend) MapUsers(mappings []ekscontrolplanev1.UserMapping) error {
+	for _, mapping := range mappings {
+		if errs := mapping.Validate(); errs != nil {
+			return kerrors.NewAggregate(errs)
+		}
+	}
+
+	authConfig, err := b.getAuthConfig()
+	if err != nil {
+		return fmt.Errorf("getting auth config: %w", err)
+	}
+
+	authConfig.UserMappings = []ekscontrolplanev1.UserMapping{}
+
+	authConfig.UserMappings = append(authConfig.UserMappings, mappings...)
+
+	return b.saveAuthConfig(authConfig)
+}
+
+func (b *configMapBackend) MapRoles(mappings []ekscontrolplanev1.RoleMapping) error {
+	for _, mapping := range mappings {
+		if errs := mapping.Validate(); errs != nil {
+			return kerrors.NewAggregate(errs)
+		}
+	}
+
+	authConfig, err := b.getAuthConfig()
+	if err != nil {
+		return fmt.Errorf("getting auth config: %w", err)
+	}
+
+	authConfig.RoleMappings = []ekscontrolplanev1.RoleMapping{}
+
+	authConfig.RoleMappings = append(authConfig.RoleMappings, mappings...)
+
+	return b.saveAuthConfig(authConfig)
+}
+
 func (b *configMapBackend) getAuthConfig() (*ekscontrolplanev1.IAMAuthenticatorConfig, error) {
 	ctx := context.Background()
 

pkg/cloud/services/iamauth/crd.go

@@ -104,6 +104,26 @@ func (b *crdBackend) MapUser(mapping ekscontrolplanev1.UserMapping) error {
 	return b.client.Create(ctx, iamMapping)
 }
 
+func (b *crdBackend) MapRoles(mappings []ekscontrolplanev1.RoleMapping) error {
+	for _, mapping := range mappings {
+		if err := b.MapRole(mapping); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (b *crdBackend) MapUsers(mappings []ekscontrolplanev1.UserMapping) error {
+	for _, mapping := range mappings {
+		if err := b.MapUser(mapping); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func roleMappingMatchesIAMMap(mapping ekscontrolplanev1.RoleMapping, iamMapping *iamauthv1.IAMIdentityMapping) bool {
 	if mapping.RoleARN != iamMapping.Spec.ARN {
 		return false

pkg/cloud/services/iamauth/iamauth.go

@@ -38,6 +38,10 @@ type AuthenticatorBackend interface {
 	MapRole(mapping ekscontrolplanev1.RoleMapping) error
 	// MapUser is used to map a user ARN to a user and set of groups
 	MapUser(mapping ekscontrolplanev1.UserMapping) error
+	// MapUsers is used to set multiple user ARN to a users and groups
+	MapUsers(mapping []ekscontrolplanev1.UserMapping) error
+	// MapRoles is used to set multiple role ARN to a users and groups
+	MapRoles(mapping []ekscontrolplanev1.RoleMapping) error
 }
 
 // BackendType is a type that represents the different aws-iam-authenticator backends.

pkg/cloud/services/iamauth/reconcile.go

@@ -63,18 +63,13 @@ func (s *Service) ReconcileIAMAuthenticator(ctx context.Context) error {
 
 	s.scope.V(2).Info("Mapping additional IAM roles and users")
 	iamCfg := s.scope.IAMAuthConfig()
-	for _, roleMapping := range iamCfg.RoleMappings {
-		s.scope.V(2).Info("Mapping IAM role", "iam-role", roleMapping.RoleARN, "user", roleMapping.UserName)
-		if err := authBackend.MapRole(roleMapping); err != nil {
-			return fmt.Errorf("mapping iam role: %w", err)
-		}
+
+	if err := authBackend.MapRoles(iamCfg.RoleMappings); err != nil {
+		return fmt.Errorf("mapping iam role: %w", err)
 	}
 
-	for _, userMapping := range iamCfg.UserMappings {
-		s.scope.V(2).Info("Mapping IAM user", "iam-user", userMapping.UserARN, "user", userMapping.UserName)
-		if err := authBackend.MapUser(userMapping); err != nil {
-			return fmt.Errorf("mapping iam user: %w", err)
-		}
+	if err := authBackend.MapUsers(iamCfg.UserMappings); err != nil {
+		return fmt.Errorf("mapping iam user: %w", err)
 	}
 
 	s.scope.Info("Reconciled aws-iam-authenticator configuration", "cluster-name", s.scope.KubernetesClusterName())